Clients Connecting to Wrong GUPs

What would cause clients to contact GUPs outside of their subnet? I thought clients locate GUPs inside their subnet fist, if none are found or available they use the SEPM. I have clients connecting to GUPs outside of their subnets all over the place.

For example:

GUP A - ip: 10.10.40.2
GUP B - ip: 10.10.50.2
GUP C - ip: 10.10.60.2

All LU Policies below us a Single GUP IP address.

I assigned LU Policy 1 to Group 1. Clients with all ip's of 10.10.40.xxx to use GUP A.
I assigned LU Policy 2 to Group 2. Clients with all ip's of 10.10.50.xxx to use GUP B.
I assigned LU Policy 3 to Group 3. Clients with all ip's of 10.10.60.xxx to use GUP C.

However, all clients are connecting to GUP A, GUP B, GUP C. Seems like most clients are hitting GUP A though. Perhaps because it was the first machine to become a GUP (noticed it was the first to create the SharedUpdates folder). Clients seem like they are not using the subnet filter when searching the list of GUPs from the globallist, which does have the GUPs sorted by subnet.

Am I understanding the use of "subnets" for GUPs correctly?

I also tried configuring one LU Policy inherited down to all Groups using Multiple GUPs but the same thing happened.

Also, not sure if this matters, but all clients and GUPs in all groups use the same subnet mask (255.255.0.0)

I am using the latest version of SEPM (12.1.1101.401 RU MP1). Some clients are still on (12.1.1000.157).

I was not aware that you have to create seperate locations for each group in order to restrict clients from using GUPS outside of their subnet. I thought the Clients select the GUP that is in their subnet when they retreive the list from the SEPM's globallist (...data\outbox\agent\gup) and ignore all other GUPs on the list.

A single Group Update Provider is a dedicated client computer that provides content for one or more groups of clients. A single Group Update Provider can be a client computer in any group. To configure a single Group Update Provider, you specify the IP address or host name of the client computer that you want to designate as the Group Update Provider.

Multiple Group Update Provider

Multiple Group Update Providers use a set of rules, or criteria, to elect themselves to serve groups of clients across subnets. To configure multiple Group Update Providers, you specify the criteria that client computers must meet to qualify as a Group Update Provider.

If a client computer meets the criteria, the Symantec Endpoint Protection Manager adds the client to its list of Group Update Providers. Symantec Endpoint Protection Manager then makes the list available to all the clients in your network. Clients check the list and choose the Group Update Provider that is located in their subnet.

You can also configure a single, dedicated Group Update Provider to distribute content to clients when the local Group Update Provider is not available.

I read mixed comments about how the clients apply the filter to the list of GUPs. Do they filter based on the subnet mask such as my 255.255.0.0 or do they look for matching subnets in the ip address such as a GUP at 10.10.50.2 and a client at 10.10.50.8 will find and use that GUP?

In SEP 11 RU5, clients "assumed" a Class C subnet mask and you could have clients contacting GUPs outside of its local subnet.

From what I understand, that has now been fixed up and subnet mask is calculated correctly. Which for you is a problem. All of your machines use 255.255.0.0 as the subnet mask. That means 10.10.x.x are all on the same subnet. That measn that all clients will contact GUPs starting at the lowest IP address. 10.10.40.xxx is lower than 10.10.50.xxx which is lower than 10.10.60.xxx. Thus all your clients will try to contact GUP A first. If GUP A is too busy and the retry time expires, clients will contact GUP B next and only seldomly GUP C.

Of all the options availabel to you, changing your network design for a new subnet mask is the most disruptive.

On the other hand, implementing Location awareness can be done with a few clicks after the proper approcal has been given and the change control process has been followed. I like using default gateway as a criteria for my location on the corporate network.

Please mark the post that best solves your problem as the answer to this thread.